Alert Logic

Security of your digital content and
media applications on AWS
Usman Shakeel | Principal Solutions Architect | Amazon Web Services
Ryan Holland | Director of Cloud Platforms | Alert Logic

Who is attacking and why?
Cyber Criminal
Hacktivist Advanced
Persistent
Threat (APT)

Associated Press – Hacked Twitter Account
• 1% drop in S&P 500
• $136 Bn market drop
• US Treasury bond yield drop
• $ weakens against ¥

TV5Monde Outage
• 11 TV channels off air for 3 hours
• Website & Facebook page defaced
• Email server taken offline

Attack types against media vs other industries
• Higher than Average
• DDOS
• Brute Force
• Application Attacks
• Lower than Average
• Part of a botnet
• Scanning
• Recon

Shared Security Model
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Configuration best
practices

Getting to a Secure Baseline
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances

Your content
Your Crown Jewels…
Storage | Access Control, Encryption at rest, Access monitoring …
Network or Physical Transfer | Encryption in transit, Network vulnerabilities, …
Value added Services | Encryption and Key Management, Access Controls, …

Shared Responsibility
• AWS responsible for all
backend infrastructure
security
• Customer is responsible for
AWS architecture in their
account and application
security

Security of the Cloud
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Cloud Security
Organization &
Management
Operations Data Security
ISO
MPAA

Security on the Cloud (application and content security)
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch

Content Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Content
Management
Digital Security
Content Transfer

Security of Studio/Post House Workflows
• FAQs
– Highly Valued Pre-Released Assets
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Deletion Protection
– Isolated from public access (internet)
– Logging and Monitoring
– Content location

Server-side encryption using KMS
Amazon S3 AWS KMSRequest
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage

Security of the Studio/Post House Workflows
(Content encryption and access)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
Encrypted
Content
AWS Import/Export
Snowball

Availability Zone A
Private subnet Private subnet
AWS
region
Virtual Private
Gateway
Content Value-add
Service
Content Value-add
Service
Availability Zone B
Locking down S3 access with virtual private endpoint (VPCE)
Amazon
S3
VPC
VPN
connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust access
control
Customer
network

Private subnet Private subnet
AWS
region
AppsValue-add Service
VPC Endpoints in action
VPC
High Valued Assets Everything else
VPCE1 VPCE2
Private subnet
Apps
1. Subnet Route Table
gives connectivity to
the VPCE
2. VPCE IAM policy
restricts what buckets
the VPCE allows access
to
3. Bucket Policy restricts
access to specific
VPCEs (or VPCs) ONLY
4. Security Groups on
instances further
restrict which
resources can access
S3

Security of the Studio/Post House Workflows
(No Public network traversal)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
role
Direct Connect
S3VPCEndpoint

12 Regions
32 Availability Zones
54 Edge locations
Where is my content?

Additional Storage Security Controls
Amazon S3
PermissionsAccess Logs
Amazon Glacier
AWS CloudTrail
Vault lock
Versioning Durability

VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Value-add Service for
High Valued assets
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network Interface
Metric filter
Filter on all SSH
REJECTFlow Log group
CloudWatch
alarm
Source IP

Additional Security Controls
(Elastic Transcoder Security)
• Encryption at rest
Server managed keys
Client provided keys
• Integration with AWS Key Management Service
Amazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streams
Built on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights Management
PlayReady DRM packaging
• CloudTrail Integration
AWS CloudTrail
Elastic Transcoder
KMS
Amazon S3
role
Watermarking

Content Transfer
Content Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management

Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM
IAM
role
S3 VPC Endpoint
Internal Users
Vendors/Partners
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Temporary Access
Access Logs
Remote Application
Streaming

A secure way to physically transfer content – at scale
Scale and Speed
• Up to 50TB Capacity per device
• 10Gbps and 1Gbps connectivity
• Parallel data transfer enables PBs transferred in a week
Secure
• Tamper-resistant enclosure
• 256-bit encryption with KMS
• Secure data erasure
Simple
• Manage entire process through AWS Console
• Lightweight data transfer client
• Notifications
Amazon Import/Export Snowball

Security of Content Distribution Applications
• FAQs
– Access Control, Rights Management & Content
Monetization
– DRM Packaging
– Encryption
– Logging and Monitoring

AWS mechanisms for securing media delivery
Token / signed
URLs
AES encryption
DRM
Geoblocking
Watermarking
Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)
Amazon Elastic Transcoder – HLS with AES-128 encryption
AWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and
Amazon S3
Amazon Elastic Transcoder – PlayReady DRM packaging
Amazon CloudFront – Geo-restriction
Amazon Elastic Transcoder – Visual watermarks

Amazon S3
(Media Storage)
Amazon CloudFront
CDN Security (Amazon CloudFront Security)
End User
HTTP
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verification
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• AWS WAF
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content
Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Signed Cookie
Verification
AWS WAF

Application Development Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
AWS Config
Config Rules
AWS IAM
IAM Users
IAM Groups
IAM Roles
AWS CloudTrail AWS Inspector
(preview)

Log, Monitor, Act Proactively
You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon CloudTrail
Elastic
Transcoder

Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Template
CloudFormation
Terminate
Template
Recycle Infrastructure often

A few other topics
• FAQs
– Third Party Media Security Products
• Watermarking
• DRM
– Software Patching and Updates
– Real-time notifications on any security/access
breaches/anomalies

Media Security Software on AWS
SECURE

Monitoring Activity in your environment
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log Data

Security
Analyists
Bringing it together
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log DataAnalytics

Security Events
& Log Data
Escalated Security
Incidents &
Recommendations
ON-PREMISES HOSTED
HYBRID
CLOUD

Compliance
AWS
CloudTrail
Auditing events
from your AWS
infrastructure
Cloud
Defender
Collection of
CloudTrail logs and
analysis
Notification on
Business Rules
Exceptions
Reporting
Customer
IT Operations and
Security Team
consume output
Customer
Defines policies to
meet compliance

Alert Logic

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Alert Logic

Similar to Alert Logic (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Alert Logic